Syslog Forwarder

Download this manual as a PDF file

The Syslog Forwarder accepts both syslogs and raw logs and forwards them to Skylar Automated RCAfor automated anomaly detection.

The GitHub repository is located here: https://github.com/zebrium/ze-log-forwarder.

Preparation

  1. By default, the syslog forwarder container uses TCP and UDP port 5514 for syslog, and TCP port 5170 for TCP forwarding. Make sure clients can reach the host IP on those ports.
  2. For syslog forwarding, make sure the host firewall does not block port 5514 for both TCP and UDP. For TCP forwarding, make sure the TCP port 5170 is open.
  3. Install Docker software if it is not installed.

Forward Syslog

Installation

  1. To support syslog over TCP and UDP, run the following command as root, and be sure to replace items in <BRACKETS> with real values:

    docker run -d --name="zlog-forwarder" --restart=always \
     -p 5514:5514/tcp \
     -p 5514:5514/udp \
     -e ZE_LOG_COLLECTOR_URL="<ZE_LOG_COLLECTOR_URL>" \
     -e ZE_LOG_COLLECTOR_TOKEN="<ZE_LOG_COLLECTOR_TOKEN>" \
     -e ZE_DEPLOYMENT_NAME="<DEPLOYMENT_NAME>" \
     zebrium/log-forwarder:latest
  2. To support syslog over TLS and UDP, create or copy the root certificate, the host certificate, and the host private key files to a directory on the host that will be running log-forwarder container.

  3. Run the following command as root:

    docker run -d --name="zlog-forwarder" --restart=always \
     -p 5514:5514/tcp \
     -p 5514:5514/udp \
     -v <USER_SERVER_CERTS_KEY_DIR>:/fluentd/tls
     -e ZE_SYSLOG_PROTOCOL="tls" \
     -e ZE_LOG_COLLECTOR_URL="<ZE_LOG_COLLECTOR_URL>" \
     -e ZE_LOG_COLLECTOR_TOKEN="<ZE_LOG_COLLECTOR_TOKEN>" \
     -e ZE_DEPLOYMENT_NAME="<DEPLOYMENT_NAME>" \
     zebrium/log-forwarder:latest

Client Configuration

  1. Use the host IP as the syslog server IP address, and port 5514 for syslog port.
  2. To configure rsyslog:
  • To use UDP, add the following to the end of the rsyslog configuration file *.* @<LOG_FORWARDER_HOST_IP>:5514
  • To use TCP, add the following to the end of the rsyslog configuration file *.* @@<LOG_FORWARDER_HOST_IP>:5514
  • To use TLS:
  • Copy client_configs/rsyslog/25-zebrium.conf to /etc/rsyslog.d/.
  • Open the file, replace CLIENT_SSL_CERT_PATH with the real client SSL certificate path, change SERVER_HOST to the hostname running log-forwarder container, and change SERVER_DOMAIN_NAME to the domain of the host running the log-forwarder container.
  • Restart the rsyslog service.

Setup

No additional setup is required.

Forward Log via TCP

Installation

Run the following command as root, and be sure to replace items in <BRACKETS> with real values:

docker run -d --name="zlog-forwarder" --restart=always \
    -p 5170:5170/tcp
    -e ZE_LOG_COLLECTOR_URL="<ZE_LOG_COLLECTOR_URL>" \
    -e ZE_LOG_COLLECTOR_TOKEN="<ZE_LOG_COLLECTOR_TOKEN>" \
    -e ZE_DEPLOYMENT_NAME="<DEPLOYMENT_NAME>" \
    -e ZE_TCP_HOSTNAME="<TCP_FORWARDER_HOSTNAME>" \
    -e ZE_TCP_LOGBASE="tcp_forwarder" \
    -e ZE_TIMEZONE="<TIME_ZONE>" \
    zebrium/log-forwarder:latest

where <TIME_ZONE> is timezone of the log messages, such as "UTC" or "EDT".

Setup

No additional setup is required.

Testing your installation

After the log forwarder software has been deployed in your environment, your logs and anomaly detection will be available in the Skylar Automated RCA user interface.